From 157eb3e5dadb6678ad1d4ed64ef773c5aaab6027 Mon Sep 17 00:00:00 2001
From: Henrik Lissner <henrik@lissner.net>
Date: Fri, 26 May 2017 20:17:51 +0200
Subject: [PATCH] Revise tls-program; rely on default trust stores

Addresses #72 & #80
---
 core/core-packages.el | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/core/core-packages.el b/core/core-packages.el
index a5c8efdb9..16ce669b8 100644
--- a/core/core-packages.el
+++ b/core/core-packages.el
@@ -85,11 +85,12 @@ base by `doom!' and for calculating how many packages exist.")
       ;; than pulled, so packages are often out of date with upstream.
 
       ;; security settings
-      gnutls-verify-error (not (getenv "INSECURE")) ; INSECURE is for integrated testing
+      gnutls-verify-error (not (getenv "INSECURE")) ; you shouldn't use this
       tls-checktrust gnutls-verify-error
       tls-program (list "gnutls-cli --x509cafile %t -p %p %h"
-                        ;; less likely to be secure, but allow for backwards compatibility
-                        "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
+                        ;; compatibility fallbacks
+                        "gnutls-cli -p %p %h"
+                        "openssl s_client -connect %h:%p -no_ssl2 -no_ssl3 -ign_eof")
 
       use-package-always-defer t
       use-package-always-ensure nil